In Conversation with Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global
Matt Kelly:
Hello everyone and welcome to this inaugural episode of Coping Through COVID. This is a new podcast series sponsored by NAVEX Global where we talk about how COVID-19 is challenging corporate compliance and risk management, and how compliance and risk professionals can respond to those challenges in the best way possible. I'm your host, Matt Kelly, editor of Radical Compliance.
Let me tell you a bit more about what we're trying to do here. This will be a limited podcast series, at least eight or nine episodes, possibly as many as a dozen. Each one will be dedicated to a specific issue that compliance and risk leaders are likely to face thanks to COVID-19. So, for example, at some point we will be talking about cybersecurity and privacy concerns when most of your workforce is working from home or at some remote location. Another episode will look at public health practices that private enterprises will need to translate into policies and procedures for your daily business operations, assessing supply chain risk, reviewing guidance for a pandemic risk — because there is such guidance out there and it is quite good — and challenges specific to services, firms or manufacturing firms.
We're going to be looking at all of those things in due course. Some of our guests will be NAVEX Global executives; others will be independent voices, because the point of this series here is to get the best analysis possible for listeners, period, wherever those voices come from. Here in our first episode, however, we want to talk about the immediate challenges compliance officers have had since COVID-19 really struck the world at the beginning of March. That is, what has this emergency period been like? What have communications been like? What's the experience been like? What are we supposed to pivot into for long-term weathering of the COVID crisis, which is likely to last for many months?
To talk about all that our first guest is Carrie Penman, Chief Compliance and Risk Officer at NAVEX Global. Carrie is a long-time compliance professional. She's worked on the corporate side; she's worked on the advisory side. She has written about or spoken about issues like this for many years, so we're very fortunate to have Carrie here. Carrie, welcome. Thank you for joining us today.
Carrie Penman:
Thank you, Matt. Thanks for having me. I really appreciate this opportunity to talk about what we're all facing together right now.
Matt Kelly:
Indeed. Let's start with what you have been seeing at NAVEX Global, because I know as Chief Compliance Officer for NAVEX you get to see some trend analysis and bulk analytics about hotline activity. What's going on? What have you been seeing for the last four, six weeks or so?
Carrie Penman:
Yeah, that's a great question, Matt, and as you mentioned, I have literally spent decades studying hotline data and trends and statistics, because I feel very strongly that this data is really speaking to what's happening in organizations on a real-time basis and also is really a strong indicator of organizational culture. During this particular time I think that organizations are getting a variety of reports. I certainly can tell you, and it's probably no surprise, the majority of the reports that we have been taking for our customers here at NAVEX Global have been related to COVID-19, and I think that this is going to drive a significant shift in the benchmarking data that we typically report on an annual basis. I think [compared to] the benchmark reporting that we're doing for last year, this year we'll see a very different outcome.
I think anecdotally we're going to see a big spike in reports related to [the] environment, health and safety categories, maybe as well along the lines of HR. But I did reach out to my colleague and a leader in the contact center to ask him specifically straight on, “What are you hearing on the phones?” Abdul Green, who maybe many of our listeners know, the first thing he said was that callers are in some cases quite uncertain, and probably in many cases [uncertain] about their financial security. And he's seeing this particularly in retail and restaurant establishments where, as we know, a number of these establishments have had to close their doors and deal with mail order or delivery or takeout, and it's creating a whole host of financial issues for those who may be furloughed and what some are hearing and some are saying is that there's concern that there's been little to no communication on how organizations are going to support employees through this crisis.
So, quite a few questions about financial security. We're also receiving a number of reports about the lack of available protective equipment. Not much different than what we're hearing in the news, but we're also hearing it real-time in requests or pleas for getting the right equipment in order for those who do need to remain on the front lines to be able to do their job.
Interestingly, Abdul mentioned that we're seeing reports starting to vary along geographical lines. He noted that in Japan, where the crisis is hopefully starting to pass the worst, the reports are starting to be a little bit more backward-looking, if you will. Addressing what we've learned, or what the organizations have learned, and what needs to happen, what concerns are as they're emerging from the crisis. In Europe right now, it's immediate support. And in the US, there's more uncertainty. Not knowing is the worst, he said. And they really are looking for more communication about how this is all going to be addressed.
He noted that the calls have been much more emotional and folks are pretty scared, and that's something that we all need to be aware of. And some of that emotion may not come through in a transcribed report, but what we are hearing is a lot more emotion and fear in the voices of folks who are contacting us. So, I think it's really an opportunity for organizations to reflect on how we're messaging to employees, or not messaging, and ensuring that we do have, as part of our business continuity plans, a good way to support crisis communications, if you will, within the organization.
Matt Kelly:
You know, I was thinking that compliance officers work regularly with other parts of the enterprise, like HR or executive leaders, as they're trying to develop policies to respond to any business condition. And I guess the question that comes to my mind is, if we see this sudden change in internal reporting activity, whether it's in the more emotional sort of urgency and the anxiety, whether it's just the volume of calls, or whether it's the substance of what they're actually calling about, what is the compliance officer supposed to do with this awareness that things are changing? How is all of this going to change how the CCO works with other parts of the business to develop a leadership response or executive communication? Are we going to see CCOs working much more closely or more frequently with other parts of the enterprise, or what do you think?
Carrie Penman:
Well, I think absolutely, this requires the barriers to be broken between the various functions in an organization. We've often talked about maybe some tension between, say, compliance and human resources. We need to be joined at the hip with a number of our other functional leaders as we go through this crisis. Right now, HR is critical – and also internal communications. The communications teams are really a critical part of who we need to be connecting with. So, I think that the egos have to be checked at the door and we're all rolling up our sleeves.
Matt Kelly:
I often think a lot about good communication at large organizations and that cycle, from the top down to the front lines. The mission statement, the policy, whatever comes down. But what's so important these days is the cycle back up from the bottom to the top to tell them "this is what it's really like," "this is what you think might be working but actually it isn't," "this is what the workers are saying." And it strikes me that compliance, or whoever is in charge of the internal reporting system, this is a tremendously urgent early warning radar system. This is huge, huge, huge that compliance officers have to be on top of this.
Carrie Penman:
Absolutely. I've had a number of conversations with chief compliance officers in the last few weeks about this and I think our standard monitoring of activity in the past has typically been a look back, maybe over a quarter or some other period of time, and it's all after-the-fact types of reporting. But I think as you said, Matt, we really have a critical opportunity to demonstrate the relevance and the impact that we have on business strategy. I mean, if you think about it, as you said, we have our fingers on the pulse of the organization in real-time right now, and perhaps better than any other part of the organization - along with HR. I think it's going to shift on who we're communicating with. But right now the pandemic I think is providing us with the opportunity to assist really in live-action monitoring.
I think, for example, “Where have communications not been effective?” Or, “Are we starting to hear from a location that a certain group of employees that are being required to take what they believe are unsafe actions in order to meet productivity?” Those are the kinds of things that executives want to know in real-time. Because in the end, some of these decisions are creating additional risk for organizations.
I actually spoke with one CCO last week who said that they are providing daily updates to the rest of the leadership team on hotline activity and issues, and that this is feeding right into the crisis management team so that they can address quickly. And this is an opportunity where you cannot communicate enough. But I thought that was a very good insight that was shared, daily updates on what they're hearing and what they're learning.
And I think going forward, as I started to say, I expect that we're going to start to see some new issue types that are going to be related to some of the changes that we've all had to make in our business model in order to respond to the pandemic. So, for example, most organizations are in the work-from-home mode and this is presenting, I suspect, a whole host of new challenges. Whether it be data security, or misuse of time, or other types of issues that we might be expecting to hear over our reporting system.
I think it's a good time to think about these issues, how they will be addressed, and how do we step up communications. We have an opportunity to maybe get out a little bit of our crystal ball and say, all right, based on what we've heard before, let's think about, from a risk management perspective, what is our new work model going to look like and what new challenges will that present to us.
Matt Kelly:
Now, I want to pick up on what you just said. You said from a risk management perspective. Because I have long thought that compliance and risk management will kind of blur and fuse into one unified thing over a long period of time, and it strikes me that COVID-19 might now make that unified thing happen by like October. I thought this would be the challenge of the 2020s, not challenge of 2020. But it might very well be that because this is going to be the normal for many months, if not one or two years. Tell me what you think about this idea of if compliance and risk management are going to, I don't know what the verb is, get shoehorned, or fused, or whatever, but are we going to see something like that?
Carrie Penman:
I totally agree and I think this is a tremendous opportunity for us because in thinking about this podcast, Matt, you and I were talking about the fact that doing a strong risk assessment has always been a foundational element of a strong program. And yet in many cases, I think it was another box-checking exercise and this now needs to become a living, breathing activity in all organizations. I think when a lot of us were doing risk assessments and trying to think about things that might happen, we often got some pushback from various leaders saying, "well that can't happen here," "that's not going to happen here." Who would have thought what is happening would be happening? And the time for "it can't happen here" is over. And I think that the convergence of risk and compliance, it's really going to have a profound impact on business and that we as risk and compliance leaders have the opportunity to step into this moment and become involved in the strategies that include strong business continuity planning.
You know, how many organizations going into this — before this crisis, but in the strong economy —were already thinking about doing recession planning and what was that going to mean? Now, all of a sudden everybody's doing recession planning and that's part of a strong risk assessment. So I think that the time is here. I think you're right. We were talking about it converging in this decade. I agree with you, it's converging in the next six months and we have an opportunity to jump in and make a real difference in our organizations because we've been thinking about this stuff for a long time and now we have an opportunity to demonstrate how well we can execute here.
Matt Kelly:
See, if I could stand on my soapbox for a minute, I have been thinking for a while about business continuity planning and we will have a whole separate episode in this podcast series on business continuity, but for a lot of companies it's been more do we have sufficient employees? Do we have enough work from home technology? And things like that. And you could be totally ready to go for work from home, but business continuity now is going to be much more about is my customer base changing? Is my supplier base changing? It's more about looking at your whole business ecosystem, which could change from last week. It might look terrible this week, it might look okay next week, it could be worse. We have no idea. And it's going to be much more about continuously monitoring the business conditions in and around and next to your whole specific enterprise, regardless of how well-positioned you are to keep your lights on and keep the employees there.
If the supplier base is going haywire, if the customer base is going haywire, then your business is going to go haywire and you have to be thinking about business continuity in a whole different way. And, like we had said before, compliance is going to be one of those early warning systems with your employees who will be able to tell you we think this is kind of sort of going haywire right now. We have to watch this and really this is going to become one steady thing that we will have to manage as an executive team. Compliance is going to be part of it, but it feeds into this greater risk management effort that is going to, I think, feel very different than what we would have expected a year ago or even two months ago.
Carrie Penman:
Well, I might join you on the box. I totally agree with you because, like I said, to me everybody says, "oh, the convergence of risk management and business continuity," I mean that is really what was intended by, maybe on a smaller scale specifically to regulatory compliance, but the practices that we've developed and put in place are directly applicable to this particular situation. And I'll get off the box as well, but this is coming, and this is where we can make a huge difference because we have been thinking like this for a long time.
Matt Kelly:
All right, well Carrie, that's all the time we have today, but you gave us plenty to think about here and covered a lot of ground. We're going to wrap up now, but thank you very much for your time. I'm delighted to have you as our first guest.
Carrie Penman:
I'm very happy to join you Matt. And just a final thought to all of our listeners out there, we all wish you good health and good safety and are really looking forward to getting back together as we all come out the other side of this. Thanks, Matt for leading this important topic.
Matt Kelly:
Again, everyone, that was Carrie Penman, Chief Compliance and Risk Officer for NAVEX Global, talking with me today about the immediate communication and leadership challenges that compliance officers have been facing since the start of the COVID-19 crisis. If you have an idea for what you'd like this podcast to explore, please do let us know. You can drop me an email at mKelly@radicalcompliance.com. We would love to hear your thoughts. That's all for this episode of Coping Through COVID. I'm Matt Kelly, Editor of Radical Compliance. Thank you all for listening. Thank you to NAVEX Global for sponsoring this series and I hope you'll join us again next time.